Abdallah Zaher

Name of the Vulnerable Software and Affected Versions: Armeria versions prior to 1.13.4 Description: An attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Recommendations: For versions prior to 1.13.4, update to Armeria 1.13.4 or above, which contains the hardened path validation logic that handles `%2F` properly. As a temporary workaround, consider inserting a decorator that performs an additional validation on the request path, such as checking if the path contains `%2f` or `%2F` and returning a `BAD REQUEST` response if it does.